DevOps Training Icon
Information Security Training Icon

DevSecOps Boot Camp


3 Days Classroom Session   |  
3 Days Live Online
Classroom Registration
Individual:
$2750.00
Group Rate:
$2550.00
(per registrant, 2 or more)
GSA Individual:
$2007.50
Live Online Registration
Live Online:
$2750.00
Private Onsite Package

This course can be tailored to your needs for private, onsite delivery at your location.

Request a Private Onsite Price Quote

Professional Credits

IIBA (CDU)

ASPE is an IIBA Endorsed Education Provider of business analysis training. Select Project Delivery courses offer IIBA continuing development units (CDU) in accordance with IIBA standards.

PMI (PDU)

Select courses offer Leadership (PDU-L), Strategic (PDU-S) and Technical PMI professional development units that vary according to certification. Technical PDUs are available in the following types: ACP, PBA, PfMP, PMP/PgMP, RMP, and SP.

Certification
Overview

DevSecOps is more than just a new label – it’s a well-established set of skills, tools and team practices for proactively building security into applications and IT services.

From the start, security has been a key priority for technology professionals who practice the grassroots principles of DevOps. However, even on teams which strive to adhere to DevOps practices, security concerns still take a back seat far too often. The more recent DevSecOps phenomenon does not represent a new idea (secure all the things!) but it does represent a renewed focus on the importance of security in the development lifecycle and its implications for all of downstream IT.

Led by a senior expert, teach your teams how to improve the DevSecOps practice – from guiding principles to daily technical execution.

This DevSecOps boot camp is the most practical, in-depth educational solution for teams who want to understand, apply and improve their skills on “shifting left” in IT security. This expert-led boot camp focuses on the principles, processes, and technical skills necessary to make security and risk profiling a front-end priority: embracing a “quality first” mindset. Teams will leave class understanding that they have a responsibility for how applications and IT services perform when they are complete and in production…even if they are involved primarily in design, development or testing applications. For IT teams primarily on the operations end of the spectrum, this class will teach them how to shift left and collaborate on the upstream work that ultimately impacts the IT security environment, the organization’s risk management, and their own daily jobs.

In this DevSecOps Course, You will Learn How to:

  • Assess, specify and automate much of the work associated with application security
  • Bridge the typical functional silos in IT that prevent proactive security practices
  • Translate common risks into technical use cases and software requirements
  • Apply “security first” engineering and testing practices throughout the entire application pipeline
  • Use static analysis, broader unit test coverage, and code quality reviews specifically for security
  • Translate the OWASP risks into practical, actionable software development best practices
  • Deploy for security
  • Tie secure development practices and automated engineering to GRC and audit requirements
  • Try new approaches to change management for increased speed, automation, and security
  • Use DevOps-style metrics to measure and monitor security practices and performance
  • Promote the cultural practices that lead to improved responsibility for security outcomes
  • Go back to work with a plan to implement what you learn
Upcoming Dates and Locations
All Live Online times are listed in Eastern Time Guaranteed To Run
Request a quote for private onsite training Request
Jun 10, 2019 – Jun 12, 2019    8:30am – 4:30pm Seattle, Washington

Allied Business Systems - Computer Classrooms
10604 NE 38th Place, Suite 118
Yarrow Bay Office Park-1 North
Kirkland, WA 98033
United States

Register
Jun 10, 2019 – Jun 12, 2019    11:30am – 7:30pm Live Online Register
Jul 15, 2019 – Jul 17, 2019    8:30am – 4:30pm Dallas, Texas

Microtek Dallas
5430 Lyndon B Johnson Fwy
Three Lincoln Centre, Suite 300
Dallas, TX 75240
United States

Register
Jul 15, 2019 – Jul 17, 2019    9:30am – 5:30pm Live Online Register
Aug 12, 2019 – Aug 14, 2019    8:30am – 4:30pm Chicago, Illinois

Microtek Chicago
230 W. Monroe
Suite 900
Chicago, IL 60606
United States

Register
Aug 12, 2019 – Aug 14, 2019    9:30am – 5:30pm Live Online Register
Sep 9, 2019 – Sep 11, 2019    8:30am – 4:30pm Live Online Register
Sep 9, 2019 – Sep 11, 2019    8:30am – 4:30pm Reston, Virginia

Microtek Reston
12950 Worldgate Drive
Monument II Bldg 4th Flr
Herndon, VA 20170
United States

Register
Oct 21, 2019 – Oct 23, 2019    8:30am – 4:30pm Live Online Register
Oct 21, 2019 – Oct 23, 2019    8:30am – 4:30pm New York, New York

NYC Seminar and Conference Center
71 West 23rd
Suite 515-Lower Level
New York, NY 10010
United States

Register
Nov 4, 2019 – Nov 6, 2019    8:30am – 4:30pm Live Online Register
Nov 4, 2019 – Nov 6, 2019    8:30am – 4:30pm Atlanta, Georgia

Microtek Atlanta
1000 Abernathy Rd. NE Ste 194
Northpark Bldg 400
Atlanta, GA 30328
United States

Register
Dec 2, 2019 – Dec 4, 2019    8:30am – 4:30pm Live Online Register
Dec 2, 2019 – Dec 4, 2019    8:30am – 4:30pm Raleigh, North Carolina

ASPE Training
2000 Regency Parkway
Suite 335
Cary, NC 27518
United States

Register
Course Outline

Part 1: DevOps, Security, and DevSecOps: Definitions

  1. DevOps
  2. Security
  3. Risk
  4. Culture
  5. Agility
  6. Testing
  7. Continuous “X” (Integration, Delivery, etc.)

Part 2: Where do we start with security?

  1. Risk review
  2. Policy
  3. Roles
  4. Compliance, regulatory and GRC
  5. The 50% hack rule
  6. The Pipeline Model
  7. Exercise: Defining common security goals

Part 3: Security as a DevOps practice

  1. Traditional vs. “DevOps” security
  2. Tools vs. processes
  3. Security, not compliance
  4. Prioritizing testing for risk
  5. Reducing source code footprint
  6. Static analysis for secure code
  7. Feature toggles for security
    • Toggle points
    • Toggle router
    • Toggle configuration
    • Others
  8. DevSecOps and technical debt management

Part 4: DevSecOps and “requirements”

  1. Designing for security
  2. Assessing risk appetite
  3. Modeling threats
  4. Product architecture
  5. Use cases, antipatterns and abuse cases
  6. Dataflows with trust boundaries

Part 5: Secure development patterns

  1. Secure code overview
  2. OWASP review
  3. Tools for automating OWASP
    • OWASP dependency checkers
    • OWASP Zap during regular functional tests
  4. Developer guidelines & checklists
  5. Compiler Security Settings (per)
  6. Tools to use
  7. Coding Standards (per language)
  8. Common pitfalls (per language)
  9. Secure/Safe functions/methods
    • Stack Canaries
    • Encrypted Pointers
    • Memory Initialization
    • Function Return Checking (e.e. malloc)
    • Dereferencing Pointers
  10. Integer type selection
    • Range Checking
    • Pre/post checking
  11. Synchronization Primitives

Part 6: Security Testing in the Pipeline

  1. Testing before commit
  2. Scanning for secrets
  3. Hook examples
  4. Application security testing
    • Static
    • Dynamic
  5. Testing dependencies
  6. How to treat manual testing
  7. Performance Testing
    • Testing for load
    • Testing for stress
    • Soak tests
    • Spike testing
  8. Testing in parallel
  9. Staging
  10. Mutation testing and tools for performing it
  11. User role testing

Part 7: Identity and Access Management (IAM)

  1. IAM overview
  2. Identity profiles
  3. Using IAM for automation
  4. IAM practices in the cloud
  5. IAM as an application building block
  6. IAM antipatterns
  7. Guided discussion: IAM in a Microservices use case

Part 8: Deployment patterns for security

  1. Canary candidates
  2. Dark launches
  3. Streamlining libraries and dependencies
  4. Keeping packages up to date
  5. Keeping deploys repeatable and reliable
  6. OpenSCAP for scanning baselines before and after deployments
  7. Scanning web server configuration
  8. Database exploitation through applications
  9. Infrastructure scanning
    • OpenVAS
    • NMAP
  10. Scanning web applications
    • W3AF
    • Wapiti

Part 7: DevSecOps and Operations

  1. Where does ops security begin and end?
  2. Infrastructure as secure code
  3. Incident response planning and emergency drills
  4. Release Archives
  5. OS Protections:
    • Address Space Layout Randomization
    • Non-Executable Stacks
    • W^X
    • Data Execution Prevention
  6. Monitoring, logging and intelligent alerts
    • Splunk mini-tour: a transformative tool for analyzing machine data, operational risk, and application health
  7. Log management
  8. Penetration Testing
  9. Exercise: Profiling a DevSecOps Cloud Model
  10. Exercise: Profiling a DevSecOps Hybrid model

Part 8: Policy, Governance, and Audit

  1. GRC review
  2. Coding for compliance
  3. DevOps and the “segregation of duties”
  4. Tooling example: Chef InSpec
  5. Change management and policy
  6. Exercise: Automated vs. manual documentation for audit trails

Part 9: Change management and DevSecOps

  1. Three types of “change”
  2. When and why to use CAB boards
  3. Peer review vs. change management
  4. Automating change management
  5. ITIL in 2020

Part 10: Measurement and metrics

  1. The core toolkit of metrics
  2. The best way to institute alerts
  3. Managing alerts
  4. Proactive vs. reactive metrics
  5. Measurement antipatterns

Part 11: More advice on the cultural factors

  1. Security fails and breakdowns
  2. Incentive, fear, and reward
  3. Getting outside IT
  4. How to shift left
  5. Building security in
  6. Cost and the business case for proactive security
  7. Overcoming conventions of the past
  8. Bridging siloes – why and how
  9. Exercise: Rearranging incentives

Part 12: Putting it all together

  1. Class recap and final questions
  2. What will you do differently when you return to work?
Who should attend
  • Anyone in an IT Leadership role
  • CIOs / CTOs /CSO
  • Security Administrators
  • Any Security Staff
  • System Administrators
  • IT Operations Staff
  • Release Engineers
  • Configuration Managers
  • Anyone involved with IT infrastructure
  • Developers and Application Team leads
  • ScrumMasters
  • Software Managers and Team Leads
  • IT Project & Program Managers
  • Product Owners and Managers
0
1

Download the brochure